Massachusetts imposes Data Privacy Rules on Sports Betting Operators: What You Need to Know

The rules, which became effective on September 1, 2023, share several similarities with the California Privacy Rights Act (CPRA) and Colorado Privacy Act (CPA). Still, they also include a few unique directives that must be considered.

Here is what do you need to know:

Broad definitions

• The definition of “personally identifiable information” is broad and tracks CPRA and other state laws, including information which is “reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular patron, individual or household.”
• The definition of “confidential information” is very broad, and includes things like amount credited to, debited from, withdrawn from, or present in any particular sports wagering account; the amount of money wagered by a particular patron on any event or series of events; the unique patron ID or username and authentication credentials that identify the patron; the identities of particular sporting events on which the patron is wagering or has wagered, or the location from which the patron is wagering, has wagered, or has accessed their sports wagering account.

Privacy notice

• Required disclosure on all information collected, purpose, sharing and security.
• There needs to be active agreement to the notice before collection, as well as agreement to any material updates (but this is different from secondary uses, which require consent as opposed to “agreement.”)

Data minimization; consent and personalization

• Data minimization and retention limitation. A Sports Wagering Operator shall only use confidential information and personally identifiable information as necessary to operate the facility or platform or to comply with the law and other specific purposes, like security.
• Consent is necessary for any secondary uses. It can be withdrawn at any time without any dark patterns interfering with this.
• Consent needs to be clear and conspicuous and separate from any terms of use.
• You may not promote or target based on things like: (1) income, debt, net worth, credit history, or status as beneficiary of governmental programs; medical status or conditions; occupation; (2) period of dormancy or non-use of a Sports Wagering Platform; (3) the wagers made or promotional offers accepted by other patrons with a known or predicted social connection to the patron; (4) the communications of the patron with any third party other than the operator; (5) automated decision making; (6) usage of cooling off or play management options.
• Requirement to collect and aggregate patrons’ confidential information and personally identifiable information to analyze patron behavior for the purposes of identifying and developing programs and interventions to promote responsible gaming and support problem gamblers, and to monitor and deter sports wagering in violation.

Data sharing

• Sharing only as necessary and requiring the recipient to maintain in confidence and only use for the purpose (aka: data sharing agreements required).
• For sharing which is necessary for the service, you need a data sharing agreement with specific provisions including information security and incident response.
• Required use of encryption and Multi-Factor Authentication (MFA).

Patron rights

• Including a description of the processing: a copy of the information held, updates to the information, restriction on use and deletion.
• Specific requirements around responding to requests and deletion of the information.

Required data program

• A Sports Wagering Operator shall develop, implement and maintain comprehensive administrative, technical and physical data privacy and security policies appropriate to the size and scope of business and addressing confidentiality, security, secure disposal, employee training on data privacy, restrictions on access, monitoring of systems, cybersecurity insurance, incident response, and periodic audits.
• Required compliance with all applicable state and federal data security requirements including: M.G.L. c. 93A, M.G.L. c. 93H, 940 CMR 3.00, 940 CMR 6.00 and 201 CMR 17.00.

Data breach notification

• Required notification of the Commission within 5 days of discovery of a suspected data breach involving CI or PII.
• Required submission of completed investigation report and remediation plan (if applicable).
• Submission of a report from a qualified third-party forensic examiner (if required).
• Compliance with all applicable data breach laws.